The General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. The GDPR strengthens privacy protections in the EU and includes a number of additional rights and responsibilities.
I’ve been going through my blog posts from 2015 to find the ones I most want to highlight. Here are some selected posts on privacy issues:
Last week, the EU issued the General Data Protection Regulation (GDPR), a long-awaited comprehensive privacy regulation that will govern all 28 EU member countries. Clocking in at more than 200 pages, this is quite a document to digest. According to the European Commission press release: “The regulation will establish one single set of rules which will make it simpler and cheaper for companies to do business in the EU.”
The GDPR has been many years in the making, and it will have an enormous impact on the transfer of data between the US and EU, especially in light of the invalidation of the Safe Harbor Arrangement earlier this year. It will has substantial implications for any global company doing business in the EU. The GDPR is anticipated to go into effect in 2017.
Here are some of the implications I see emerging from the GDPR as well as some questions for the future:
Under Article 79, violations of certain provisions will carry a penalty of “up to 2% of total worldwide annual turnover of the preceding financial year.” Violations of other provisions will carry a penalty of “up to 4% of total worldwide annual turnover of the preceding financial year.” The 4% penalty applies to “basic principles for processing, including conditionals for consent,” as well as “data subjects’ rights” and “transfers of personal data to a recipient in a third country or an international organisation.”
These are huge penalties. Such penalties will definitely be a wake-up call for top management at companies to pay more attention to privacy and to provide more resources to the Chief Privacy Officer (CPO). Now we can finally imagine the CEO at a meeting, with her secretary rushing over to her and whispering in her ear that the CPO is calling. The CEO will stand up immediately and say: “Excuse me, but I must take this call. It’s my CPO calling!”
To date, EU enforcement of its privacy laws has been spotty and anemic, so much so that many characterize it as barely existent. Will the new GDPR change enforcement? With such huge fines, the payoff for enforcement will be enormous. We could see a new enforcement culture emerge, with more robust and consistent enforcement. If privacy isn’t much of a priority of upper management at some global companies, it will be soon.
by Daniel J. Solove
I was corresponding with K. Royal the other day, as she was graciously providing some feedback on a training program I created, and we got to talking about sensitive data. In their privacy laws, many countries designate a special category of data called “sensitive data” that receives especially stringent protections.
The most common list of categories for sensitive data is the list in the EU Data Protection Directive, which includes data about “racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union memberships, health, and sex life.”
The US has no special category of “sensitive data” but US privacy law does protect certain forms of data more stringently (health, financial).
I find it interesting what various countries define as sensitive data, and K Royal has created an awesome chart that she shared with me:
To a privacy wonk like me, a chart like this makes me giddy with excitement, and so I thought I’d share it with you (with her permission, of course).
Here’s a tally of the various types of most-commonly recognized categories of sensitive data. This is based on a chart of the sensitive data category of many countries that K Royal created.
SPECIFIC COUNTRIES’ DEFINITIONS OF SENSITIVE DATA
Note: The entry for “standard” means the standard list from the EU Data Protection Directive. The categories encompassed by “standard” include the one beginning “national, Racial/Ethnic” through “sexual preferences and practices.” More background about K’s project can be found at her blog.
If you want to see the spreadsheet data laid out in a blog post, you can see my longer post about the issue at my LinkedIn Blog.
by Daniel J. Solove
Is the right to be forgotten good or bad?
This is the question many are asking these days in light of the recent EU Court of Justice (ECJ) decision that requires search engines such as Google to remove personal data from search results when people request it. (For more background, I wrote about the ECJ decision last week.)
After the decision was released, critics attacked the right to be forgotten as impractical, undesirable, and antithetical to free speech.
by Daniel J. Solove
In a momentous decision, the EU Court of Justice has ruled in favor of a Spanish man who sought to have links to his personal data removed from Google search results. Under what has become known as the “right to be forgotten,” EU citizens have a right to the deletion of certain personal data under the EU Data Protection Directive.
The EU Court of Justice has concluded that “the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.”